Resolve mismatched directory errors for existing Microsoft Entra Domain Services managed domains

If a Microsoft Entra Domain Services managed domain shows a mismatched tenant error, you can't administer the managed domain until resolved. This error occurs if the underlying Azure virtual network is moved to a different Microsoft Entra directory.

This article explains why the error occurs and how to resolve it.

What causes this error?

A mismatched directory error happens when a Domain Services managed domain and virtual network belong to two different Microsoft Entra tenants. For example, you may have a managed domain called aaddscontoso.com that runs in Contoso's Microsoft Entra tenant. However, the Azure virtual network for managed domain is part of the Fabrikam Microsoft Entra tenant.

Azure role-based access control (Azure RBAC) is used to limit access to resources. When you enable Domain Services in a Microsoft Entra tenant, credential hashes are synchronized to the managed domain. This operation requires you to be a tenant admin for the Microsoft Entra directory, and access to the credentials must be controlled.

To deploy resources to an Azure virtual network and control traffic, you must have administrative privileges on the virtual network in which you deploy the managed domain.

For Azure RBAC to work consistently and secure access to all the resources Domain Services uses, the managed domain and the virtual network must belong to the same Microsoft Entra tenant.

The following rules apply for deployments:

• A Microsoft Entra directory may have multiple Azure subscriptions.
• An Azure subscription may have multiple resources such as virtual networks.
• A single managed domain is enabled for a Microsoft Entra directory.
• A managed domain can be enabled on a virtual network belonging to any of the Azure subscriptions within the same Microsoft Entra tenant.

Valid configuration

In the following example deployment scenario, the Contoso managed domain is enabled in the Contoso Microsoft Entra tenant. The managed domain is deployed in a virtual network that belongs to an Azure subscription owned by the Contoso Microsoft Entra tenant.

Both the managed domain and the virtual network belong to the same Microsoft Entra tenant. This example configuration is valid and fully supported.

Mismatched tenant configuration

In this example deployment scenario, the Contoso managed domain is enabled in the Contoso Microsoft Entra tenant. However, the managed domain is deployed in a virtual network that belongs to an Azure subscription owned by the Fabrikam Microsoft Entra tenant.

The managed domain and the virtual network belong to two different Microsoft Entra tenants. This example configuration is a mismatched tenant and isn't supported. The virtual network must be moved to the same Microsoft Entra tenant as the managed domain.

Resolve mismatched tenant error

The following two options resolve the mismatched directory error:

• First, delete the managed domain from your existing Microsoft Entra directory. Then, create a replacement managed domain in the same Microsoft Entra directory as the virtual network you wish to use. When ready, join all machines previously joined to the deleted domain to the recreated managed domain.
• Move the Azure subscription containing the virtual network to the same Microsoft Entra directory as the managed domain.

Next steps

For more information on troubleshooting issues with Domain Services, see the troubleshooting guide.